User's Manual

ManualsBrandsCisco Systems ManualsWelding SystemCisco Systems IOS Software 0L-11350-01

231

232

233

234

235

236

237

238

239

240

11-7

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-11350-01

Chapter 11 Configuring Authentication Types

Understanding Authentication Types

Figure 11-5 shows the reassociation process using CCKM.

Figure 11-5 Client Reassociation Using CCKM

Using WPA Key Management

Wi-Fi Protected Access is a standards-based, interoperable security enhancement that strongly increases

the level of data protection and access control for existing and future wireless LAN systems. It is derived

from and will be forward-compatible with the upcoming IEEE 802.11i standard. WPA leverages TKIP

(Temporal Key Integrity Protocol) for data protection and 802.1X for authenticated key management.

WPA key management supports two mutually exclusive management types: WPA and WPA-Pre-shared

key (WPA-PSK). Using WPA key management, clients and the authentication server authenticate to each

other using an EAP authentication method, and the client and server generate a pairwise master key

(PMK). Using WPA, the server generates the PMK dynamically and passes it to the access point. Using

WPA-PSK, however, you configure a pre-shared key on both the client and the access point, and that

pre-shared key is used as the PMK.

Note Unicast and multicast cipher suites advertised in WPA information element (and negotiated during

802.11 association) may potentially mismatch with the cipher suite supported in an explicitly assigned

VLAN. If the RADIUS server assigns a new vlan ID which uses a different cipher suite from the

previously negotiated cipher suite, there is no way for the access point and client to switch back to the

new cipher suite. Currently, the WPA and CCKM protocols does not allow the cipher suite to be changed

after the initial 802.11 cipher negotiation phase. In this scenario, the client device is disassociated from

the wireless LAN.

See the “Assigning Authentication Types to an SSID” section on page 11-10 for instructions on

configuring WPA key management on your access point.

88964

Reassociation request

Reassociation response

Pre-registration request

Pre-registration reply

Roaming client

device

Access point

WDS Device - Router/

Switch/AP

Authentication server

Wired LAN